Bug #108295 mysql80-community-release-el7-6.noarch.rpm has GPG keys in the wrong directory
Submitted: 26 Aug 2022 11:43 Modified: 29 Aug 2022 4:34
Reporter: Paul Whitaker Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S3 (Non-critical)
Version:8.0 OS:CentOS
Assigned to: Balasubramanian Kandasamy CPU Architecture:Any

[26 Aug 2022 11:43] Paul Whitaker
Description:
The current release package for EL7 (mysql80-community-release-el7-6.noarch.rpm) has the GPG directly in the /etc directory instead of /etc/pki/rpm-gpg.

That prevents you from installing anything from the repository without moving the keys into the correct location

How to repeat:
Comparing the current release package to the previous one - note the paths of the two GPG keys in the packages are different:

# wget https://dev.mysql.com/get/mysql80-community-release-el7-5.noarch.rpm https://dev.mysql.com/get/mysql80-community-release-el7-6.noarch.rpm

# rpm -qlp mysql80-community-release-el7-5.noarch.rpm 
warning: mysql80-community-release-el7-5.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 3a79bd29: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
/etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2022
/etc/yum.repos.d/mysql-community-source.repo
/etc/yum.repos.d/mysql-community.repo

# rpm -qlp mysql80-community-release-el7-6.noarch.rpm 
warning: mysql80-community-release-el7-6.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 3a79bd29: NOKEY
/etc/RPM-GPG-KEY-mysql
/etc/RPM-GPG-KEY-mysql-2022
/etc/yum.repos.d/mysql-community-debuginfo.repo
/etc/yum.repos.d/mysql-community-source.repo
/etc/yum.repos.d/mysql-community.repo

Installing the current release package & then trying to install a mysql package from it fails due to the GPG keys not being in the correct place:
# yum install mysql80-community-release-el7-6.noarch.rpm 
# yum install mysql-community-libs
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirror.cov.ukservers.com
 * extras: mirror.as29550.net
 * updates: mirror.as29550.net
mysql-connectors-community                                                                                   | 2.6 kB  00:00:00     
mysql-tools-community                                                                                        | 2.6 kB  00:00:00     
mysql80-community                                                                                            | 2.6 kB  00:00:00     
(1/3): mysql-connectors-community/x86_64/primary_db                                                          |  90 kB  00:00:00     
(2/3): mysql-tools-community/x86_64/primary_db                                                               |  87 kB  00:00:00     
(3/3): mysql80-community/x86_64/primary_db                                                                   | 211 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package mysql-community-libs.x86_64 0:8.0.30-1.el7 will be installed
--> Processing Dependency: mysql-community-client-plugins = 8.0.30-1.el7 for package: mysql-community-libs-8.0.30-1.el7.x86_64
--> Processing Dependency: mysql-community-common(x86-64) >= 8.0.11 for package: mysql-community-libs-8.0.30-1.el7.x86_64
--> Running transaction check
---> Package mysql-community-client-plugins.x86_64 0:8.0.30-1.el7 will be installed
---> Package mysql-community-common.x86_64 0:8.0.30-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================
 Package                                      Arch                 Version                    Repository                       Size
====================================================================================================================================
Installing:
 mysql-community-libs                         x86_64               8.0.30-1.el7               mysql80-community               1.5 M
Installing for dependencies:
 mysql-community-client-plugins               x86_64               8.0.30-1.el7               mysql80-community               2.5 M
 mysql-community-common                       x86_64               8.0.30-1.el7               mysql80-community               645 k

Transaction Summary
====================================================================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 4.6 M
Installed size: 31 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/mysql80-community/packages/mysql-community-common-8.0.30-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 3a79bd29: NOKEY
Public key for mysql-community-common-8.0.30-1.el7.x86_64.rpm is not installed
(1/3): mysql-community-common-8.0.30-1.el7.x86_64.rpm                                                        | 645 kB  00:00:00     
(2/3): mysql-community-client-plugins-8.0.30-1.el7.x86_64.rpm                                                | 2.5 MB  00:00:00     
(3/3): mysql-community-libs-8.0.30-1.el7.x86_64.rpm                                                          | 1.5 MB  00:00:00     
------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                15 MB/s | 4.6 MB  00:00:00     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2022

GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2022"

Suggested fix:
Move the GPG keys back to /etc/pki/rpm-gpg
[26 Aug 2022 12:17] MySQL Verification Team
Hi Mr. Whitaker,

Thank you for your bug report.

We have checked and concluded that you are correct.

Verified as reported.
[29 Aug 2022 4:34] Balasubramanian Kandasamy
Thanks for the bug report. 

We have fixed the GPG key location in the el7 setup RPM (mysql80-community-release-el7-7.noarch.rpm).
[29 Aug 2022 12:15] MySQL Verification Team
Thank you, Balasubramanian Kandasamy, for the quick fix.